1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

VPN / DNS oddity.

Discussion in 'Asuswrt-Merlin' started by Skruf, Oct 9, 2019.

  1. Skruf

    Skruf Occasional Visitor

    Joined:
    Feb 26, 2019
    Messages:
    16
    Hey,
    I've stumbled on something I do not understand and thought I'd post it so someone could let me know what I'm missing...

    I run a VM that has Pi-hole/Unbound and NSD running for DNS service... Running on the local network.

    On the router both WAN and LAN (DHCP) DNS servers are set to the above internal DNS server (192.168.1.x). The VPN is set to Policy Rules (Strict) and Exclusive on the Accept DNS configuration.

    If I use DHCP to issue an IP address to any client going through the VPN or if I have a static IP address (with local DNS servers) then I get a DNS leak showing on the VPN.

    If I set the static IP address and use external DNS servers (9.9.9.9, etc) there is no DNS leak.

    If someone can help me understand that I'd appreciate it. Thanks.
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,451
    Location:
    UK
  3. Skruf

    Skruf Occasional Visitor

    Joined:
    Feb 26, 2019
    Messages:
    16
    Hey,

    Yes, and no... The DNS servers are no longer going through a VPN. After putting them through the WAN is where I noticed the difference.
     
  4. Skruf

    Skruf Occasional Visitor

    Joined:
    Feb 26, 2019
    Messages:
    16
    Hey,

    FWIW, this is how I solved my issue...

    I enabled the JFFS partition and formatted it on the follow up boot. Then I created a dnsmasq.conf.add file (in /jffs/configs/) and entered the following in it:

    Code:
    dhcp-option=tag:vpndns,option:dns-server,10.10.10.1,10.10.10.2
    dhcp-mac=set:vpndns,xx:xx:xx:xx:xx:xx
    After that a reboot...

    The DNS servers are bogus as the VPN is forcing the clients to use their servers. The "vpndns" is obviously the tag I used and the dhcp-mac line defines the clients (their MAC) using the defined DNS servers.

    Mainly I just wanted to be able to use DHCP on the router to keep things simple and uniform with the rest of the network. So far it seems to do what I want it to... until I break it again...

    Best.
     
  5. sl4fko

    sl4fko Occasional Visitor

    Joined:
    Nov 1, 2018
    Messages:
    36
    Location:
    Slovenia
    I'd like to borrow this topic for a few moments...


    I have NordVPN on my AC86U configured with both NordVPN custom DNSs.


    Question:
    Can I (should I?) use DoT DNS privacy protocol or it doesn't make sense anymore because of both NordVPN custom DNSs?

    Thanks!
     
  6. Markster

    Markster Regular Contributor

    Joined:
    Jan 29, 2019
    Messages:
    63
    Both will be secured. If you decide to use DNSSEC and DoT set OpenVPN client DNS to Disabled. If you want to use NordVPN DNS set OpenVPN DNS to Exclusive. DoT would be faster and can be as secured as NordVPN DNS